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ABSTRACT 

Consider an asynchronous system with private channels and 
n processes, up to t of which may be faulty. We settle a long- 
standing open question by providing a Byzantine agreement 
protocol that simultaneously achieves three properties: 

1. (optimal) resilience: it works as long as n > 3t; 

2. (almost-sure) termination: with probability one, all 
nonfaulty processes terminate; 

3. (polynomial) ejficiency: the expected computation time, 
memory consumption, message size, and number of 
messages sent are all polynomial in n. 

Earlier protocols have achieved only two of these three prop- 
erties. In particular, the protocol of Bracha is not polynomi- 
ally efflcient, the protocol of Feldman and Micali is not opti- 
mally resilient, and the protocol of Canetti and Rabin does 
not have almost-sure termination. Our protocol utilizes a 
new primitive called shunning (asynchronous) verifiable se- 
cret sharing (SVSS), which ensures, roughly speaking, that 
either a secret is successfully shared or a new faulty pro- 
cess is ignored from this point onwards by some nonfaulty 
process. 

Categories and Subject Descriptors 

C.2.4 [Computer-Communication Networks]: Distributed 
SystemsF.O [Theory of Computation]: General. 

General Terms 

Security, Theory 
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1. INTRODUCTION 

The Byzantine agreement problem, introduced in 1980 by 
Pease, Shostak, and Lamport [13], has emerged as one of the 
most fundamental problems in Distributed Computing. The 
problem is easy to describe: each process has an input value; 
the goal is for all processes to agree on a consensus value that 
is an input value of one of the processes. The challenge lies 
in reaching agreement despite the presence of faulty pro- 
cesses. Many variants of the problem have been studied. 
After three decades of extensive research, tight bounds have 
been obtained for almost all of the variants, with one signif- 
icant exception: asynchronous Byzantine agreement, where 
communication channels between processes have unbounded 
delay (although messages are guaranteed to arrive eventu- 
ally), and the faulty processes are malicious in an arbitrary 
way (though noirfaulty processes have secure private chan- 
nels) . 

An execution of a Byzantine agreement protocol is non- 
terminating if some nonfaulty process does not output a 
value. The celebrated result of Fischer, Lynch, and Pater- 
son [11] shows that any protocol that never reaches disagree- 
ment (i.e., has no executions where two nonfaulty processes 
output different values) must have some nonterminating ex- 
ecutions. For a protocol that never reaches disagreement, 
the best we can hope for is that the set of nonterminat- 
ing executions has probability 0. We say such protocols are 
almost-surely terminating. Ben-Or [1] showed that almost- 
surely terminating asynchronous Byzantine agreement can 
be achieved as long as n > 5i, where n is the number of pro- 
cesses in the system and f is a bound on the number of faulty 
processes. However, his protocol required an expected num- 
ber of rounds that is exponential in n. This started a lengthy 
sequence of research on asynchronous Byzantine agreement; 
see, for example, [1, 3, 4, 9, 12, 14]. It is well known that 
Byzantine agreement for n processes cannot be reached if 
n < 3t [13]. Therefore the best resilience one can hope for 
is 71 > 3t. We will call such protocols optimally resilient. 
Bracha [3] provides an almost-surely terminating protocol 
that is optimally resilient. However his protocol does not 
scale well with the size of the system, since, like Ben-Or's, 
the expected number of messages and rounds is exponential 
in n. Feldman and Micali [9] provide a Byzantine agree- 
ment protocol for the synchronous model with optimal re- 
silience and constant expected running time. They extend 



their result to the asynchronous model, where they provide 
a polynomial-time algorithm that almost-surely terminates, 
but does not have optimal resilience; their protocol requires 
that n > At. Canetti and Rabin [4, 5] provide a protocol 
that is optimally resilient (n > 3t) and polynomially effi- 
cient. Their result uses ideas from Rabin and Ben-Or [14] 
on verifiable secret sharing (VSS) in synchronous systems 
equipped with a broadcast channel. The techniques of [14] 
have an inherent nonzero probability of failure; as a result, 
in the asynchronous implementation of [4], the protocol is 
not almost-surely terminating. Indeed, in [5], the authors 
explicitly highlighted the problem of finding a protocol that 
simultaneously achieves optimal resilience, almost-sure ter- 
mination, and polynomial efficiency. Up to now, despite 
repeated efforts, this has not been done. The main result of 
this paper is to provide such a protocol. 

Pretty much all protocols following Bracha's [3] used his 
idea of reducing the problem of Byzantine agreement to that 
of implementing a shared coin. We do that as well. We 
obtain a shared coin using an approach that goes back to 
Feldman and Micali [9, 10], who essentially reduce the prob- 
lem of efficiently implementing a shared coin to that of effi- 
ciently implementing VSS. Roughly speaking, the secrets in 
VSS are used to generate a shared coin. We refer the reader 
to Canetti's thesis [6] (Chapters 4 and 5) for a comprehen- 
sive account of the rather complex reduction from VSS to 
Byzantine agreement in the asynchronous model. 

The protocol of Canetti and Rabin [4] also uses the re- 
duction from verifiable secret sharing to Byzantine agree- 
ment. The only reason that their protocol is not almost- 
surely terminating is that they use a protocol that they call 
Asynchronous Verifiable Secret Sharing (AVSS), which has 
a small (but nonzero) probability of not terminating. Our 
protocol has essentially the same structure as the Canetti- 
Rabin protocol. Indeed, it uses the same reduction from 
AVSS to Byzantine agreement as in [4], except that the use 
of AVSS is replaced by a variant of AVSS that we call shun- 
ning (asynchronous) verifiable secret sharing (SVSS). which 
is guaranteed to terminate almost-surely. 

To explain the properties of SVSS, we first review the 
properties of standard VSS (verifiable secret sharing). VSS 
involves a dealer who has a value to share, which we think 
of as the dealer's secret. It has two key properties, known as 
validity and binding. Informally, the validity property guar- 
antees that, if the dealer is nonfaulty, then all nonfaulty 
processes will reconstruct the dealer's value; the binding 
property guarantees that a faulty dealer must commit to 
a value during what is called the share phase of the pro- 
tocol. Our SVSS scheme has weaker validity and binding 
properties. Specifically, we require that in each invocation 
where the validity or binding properties do not hold, at least 
one nonfaulty process ignores at least one new faulty process 
from that invocation on. The key observation is that this 
limits the adversary to breaking the validity and binding 
properties at most a polynomial number of times. 

The SVSS protocol uses a weaker protocol called moder- 
ated weak shunning (asynchronous) VSS (MW-SVSS). The 
MW-SVSS protocol is a variant of VSS with a dealer and 
an additional entity called a moderator. In MW-SVSS the 
dealer has some input value s and the moderator has some 
input value s' . The nonfaluty moderator's task is to enforce 
during the share phase that the value that the dealer shares 
is s' (hence s = s' if both are nonfaulty). The initials MWS 



characterize how MW-SVSS differs from standard VSS: 

• Moderated. A faulty dealer must commit to the 
value of the nonfaulty moderator in order to complete 
the share protocol. (Katz and Koo [12] use a modera- 
tor for VSS in a somewhat similar way.) 

• Weak. As in weak VSS [4, 14], the binding property 
of VSS is weakened so that each process reconstructs 
either the committed value or a default value (denoted 

• Shunning. Like SVSS, it is possible that neither va- 
lidity nor the weaker binding property hold, but in that 
case at least one nonfaulty process ignores at least one 
new faulty process from this stage on. 

As in the VSS scheme used in [2, 9, 10], the SVSS scheme 
starts with a dealer who shares a degree-f bivariate polyno- 
mial f{x,y) such that /(0,0) is the secret. Each process i 
gets t-\-l values of each of the polynomials g{y) — f{i, y) and 
h{x) — f{x,i), which is enough to reconstruct them, since 
they both have degree t. Then, roughly speaking, each pair 
{i,j) of processes uses MW-SVSS to commit to f{i,j) and 
.f(j,i). This ensures that if either i or j is nonfaulty then 
the reconstructed values of the MW-SVSS protocol will be 
either ± or the required values (/(i, j), f{j, i)). We then use 
this fact to prove the properties of the SVSS protocol. 

The key property of the MW-SVSS protocol is its use of 
a fault-detection mechanism. The mechanism has the prop- 
erty that a nonfaulty process might not explicitly know it 
has detected a faulty process. The only guarantee is that 
it will act as if it has detected a faulty process, by ignoring 
all messages from the detected process for the rest of the 
protocol. This behavior is somewhat reminiscent of the fail- 
ure detector oW [7] in the sense that a nonfaulty process 
might reach a state of permanently suspecting a faulty pro- 
cess without being explicitly aware of this fact. Since the 
details of the MW-SVSS protocol are somewhat technical, 
we refer the reader to Section 3.1 for a high-level description. 

The rest of this paper is organized as follows. In Sec- 
tion 2, we state the properties of SVSS and MW-SVSS. In 
Section 3, we provide an implementation of MW-SVSS and 
prove that it has the required properties. In Section 4, we 
do the same for SVSS, using MW-SVSS as a subroutine. A 
description of Bracha's Reliable Broadcast protocol, which 
we use as a subroutine, is given in the appendix. 

2. SHUNNING VSS 

As we mentioned above, in SVSS, if either the binding 
property or the validity property does not hold, then a new 
faulty process is ignored in all future invocations by some 
nonfaulty process. To implement this, each process needs 
to keep track of the processes it knows to be faulty. Thus, 
the SVSS scheme actually has two components: a detection 
and message management protocol (DMM protocol) and a 
VSS protocol. Each process uses its DMM protocol to de- 
cide which messages to discard, which to ignore for now, 
and which to act on, and to keep track of the processes it 
knows to be faulty. The DMM protocol is invoked when 
the SVSS scheme is initialized, and then runs indefinitely 
and concurrently with all the invocations of the VSS proto- 
cols. The VSS protocol may be invoked a number of times 
while the SVSS scheme runs, and several invocations may 
be running concurrently. The VSS protocol is composed of 
a pair of protocols S (for share) and TZ (for reconstruct). 



These protocols are called separately; TZ is never called un- 
less S completes, but TZ may not be called at all even if <S 
completes. We associate with each VSS invocation a unique 
session identifier (c, i) that is composed of a counter c and 
the dealer's identifier i. We tag all events of that invocation 
with its session identifier, so that it is always clear which 
invocation of the VSS protocol an event belongs to. 

We say that a VSS invocation has completed for process j 
if process j completed the reconstruct associated with that 
session. Given a process j and two VSS invocations with 
session identifiers (c, i) and {c',i'), we write (c, i) {c',i') 
if process j completes the invocation of the VSS (c, i) before 
process j begins the invocation of the VSS {c',i'). 

As we said in the introduction, our VSS scheme is shun- 
ning. Process i may start shunning j well before i is sure 
that j is faulty; indeed, i may shun j without ever knowing 
that j is faulty. 

Definition 1. Process j is shunned by process i start- 
ing in session {c,l) of MW-SVSS (resp., SVSS) if process i 
does not ignore some message from j during session {c,l), 
but ignores or discards all messages from j associated with 
every session {c',l') of MW-SVSS (resp., SVSS) such that 
{c,l) -^i ic',n. 

2.1 Properties of SVSS 

Each VSS invocation has one process d designated as the 
dealer; the dealer has some input value s. For ease of ex- 
position, we do not include the session identifier in our de- 
scription of the properties of the VSS protocol when they 
are clear from the context, although we do include them in 
the description of the protocols. Each VSS invocation must 
satisfy the following properties (in runs with at most t faulty 
processes); we call these the SVSS properties. 

1. Validity of Termination. If a nonfaulty dealer initi- 
ates protocol 5, then each nonfaulty process will even- 
tually complete protocol 5. 

2. Termination. If a nonfaulty process completes pro- 
tocol <S, then all nonfaulty processes will eventually 
complete protocol <S. Moreover, if all nonfaulty pro- 
cesses begin protocol TZ, then all nonfaulty processes 
will eventually complete protocol TZ (note, however, 
that if only some but not all nonfaulty processes begin 
protocol TZ, then there is no termination requirement). 

3. Binding. Once the first nonfaulty process completes 
an invocation of 5 with session id (c, d), there is a value 
r such that either 

• the output of each nonfaulty process that com- 
pletes protocol 7?, is r; or 

• there exists a nonfaulty process i and a faulty 
process j such that j is shunned by i starting in 
session (c, d). 

4. Validity. If the dealer is nonfaulty, then either 

• the output of each nonfaulty process that com- 
pletes protocol 7?, is s; or 

• there exists a nonfaulty process i and a faulty 
process j such that j is shunned by i starting in 
session (c, d). 

5. Hiding. If the dealer is nonfaulty and no nonfaulty 
process invokes protocol TZ, then the faulty processes 
learn nothing about the dealer's value^ 

^To make this precise, assume that the adversary determines 



2.2 Properties of MW-SVSS 

In order to implement the VSS protocol, we use a weaker 
protocol called moderated weak shunning (asynchronous) VSS 
(MW-SVSS). Just as VSS, the MW-SVSS protocol is com- 
posed of a share protocol S' and a reconstruction protocol 
TZ' . As in weak VSS, we weaken the Binding property so 
that each nonfaulty process reconstructs either r or _L. But 
now, in addition to having one process d designated as the 
dealer, there is an additional process designated as the mod- 
erator. Both the dealer and the moderator have (possibly 
different) input values, denoted s and s' , respectively. Each 
MW-SVSS invocation must satisfy Termination and Valid- 
ity, just like VSS, and the following variants of the proper- 
ties of VSS (in runs with at most t faulty processes) ; we call 
these the MW-SVSS properties. 

1'. Moderated Validity of Termination. If a non- 
faulty dealer initiates protocol S' , the moderator is 
nonfaulty, and s = s', then each nonfaulty process will 
eventually complete protocol S' . 

3'. Weak and Moderated Binding. Once the first non- 
faulty process completes an invocation of protocol S' 
with session id (c, d), there is a value r (possibly ±) 
such that 

• if the moderator is nonfaulty, then r — s' . 
In addition, either 

• the output of each nonfaulty process that com- 
pletes protocol TZ' is either r or _L; or 

• there exists a nonfaulty process i and a faulty 
process j such that j is shunned by i starting in 
session (c, d). 

5'. Moderated Hiding. If the dealer and moderator are 
nonfaulty and no nonfaulty process invokes protocol 
TZ' , then the faulty processes learn nothing about the 
dealer's value. 

It might seem surprising that in the second condition of 
Validity and (Weak and Moderated) Binding, we talk about 
shunning rather than just saying that a faulty process is 
detected. The reason is that, as we show in Example 1 (after 
we give the implementation of the MW-SVSS protocol), it 
is possible that two nonfaulty processes will complete an 
invocation of the MW-SVSS protocol with different values 
without (explicitly) detecting a new faulty process; however, 
in that case, at least one of them will shun a faulty process 
that was not shunned before. 

3. IMPLEMENTING DMM AND MW-SVSS 
3.1 A high-level description 

In this section, we provide an implementation of DMM 
and MW-SVSS. We start with a high-level description of 
both. Both protocols use the Reliable Broadcast protocol 
(RB) of Bracha [3]. RB guarantees that messages are indeed 
broadcast; if a nonfaulty sender sends a message m, then all 

the scheduling protocol: how long each message will take to 
arrive as a function of the history. Note that once we fix 
the inputs, the faulty processes, the protocols used by the 
faulty processes, and the scheduling protocol, the VSS pro- 
tocol (which is used by the nonfaulty processes) determines 
a distribution on runs. Formally, hiding requires that for 
all distributions determined this way, the dealer's value is 
independent of the histories of the faulty processes. 



nonfaulty processes eventually receive m, and nothing else. 
(The properties of RB are stated carefully in the appendix, 
where, for completeness, an implementation is provided.) 

We assume that the dealer creates n + 1 degree-f poly- 
nomials /, /i, ■ . ■ , /n over some finite field F with > n 
such that /(O) is the secret (i.e., /(O) = s) and fi{0) — f(l)- 
Then the dealer shares the polynomials fi, . . . , f„ and also 
gives each process j the polynomial fj. We can think of 
process j as a potential "monitor" for fj . The dealer shares 
the polynomial by sending each process k the value fj{k). 
This means that, if the dealer is correct, any t+1 nonfaulty 
processes can reconstruct fj. In addition, the dealer sends / 
to the moderator. Each process k that receives fj{k) sends 
this value to j and broadcasts a confirmation. In this case, 
we can think of process fc as a "confirmer" for fj (k) . When 
j receives confirmations and values that agree with the poly- 
nomial fj sent by the dealer from at least n — t processes, j 
becomes a "monitor" for fj, sends fj{0) to the moderator, 
and broadcasts the set Lj of at least n — t confirmers whose 
value it accepted. Intuitively, each monitor j is responsible 
for validating the value of one point on the polynomial /, 
namely, f{j) = /j(0). When the moderator receives at least 
n — t values all of which agree with the polynomial / from 
different monitors and receives confirmations from their as- 
sociated Lj sets, then the moderator broadcasts the set of 
n — t monitors' indexes it accepted. The dealer broadcasts 
a confirmation when it learns that the moderator, its moni- 
tors, and their confirmers have acted in a nonfaulty manner. 
This allows nonfaulty processes to know which confirmers 
they need to wait for in order to complete their execution of 
the share protocol. 

In the reconstruct phase, processes send their values using 
the RB protocol. If the dealer is nonfaulty, then it can check 
the values sent by all processes and detect faulty processes. 
If the dealer is faulty, then there are at least t + 1 nonfaulty 
monitors I that can monitor their polynomial /; . If they do 
not detect problems with their confirmers, then the Weak 
Binding property must hold. 

We now explain how processes shun other processes if a 
problem is detected. Before a process i "sees" a message 
in the MW-SVSS protocol (or the SVSS protocol that we 
present later), the message is filtered by the DMM proto- 
col. The DMMi protocol decides whether to discard the 
message, ignore it for now, or pass it on for action. In 
order to do this, DMMi must maintain a number of data 
structures. First, it maintains the partial order on ses- 
sions described above, where (ci, ji) —fi (02,^2) if * started 
the share protocol of VSS session (c2,j2) after completing 
the reconstruct protocol of VSS session (ci,ji). In addi- 
tion, the DMMi protocol uses a variable Di that repre- 
sents a set of processes. Intuitively, the processes in Di 
are ones known by i to be faulty. Any message sent by a 
process j G Di is discarded by i. To decide which mes- 
sages to ignore for now and which to pass on for action, 
DMMi maintains two arrays. The first array, denoted ACK;, 
consists of tuples in {1, . . . , n} x {1, . . . ,n} x IN x F. In- 
tuitively, {j, I, c, x) G ACKi if i is expecting to receive a 
broadcast sent by j using RB saying fi{j) — x as part of 
a VSS session (c, i) (thus, this is a session for which i is 
the dealer). The second array, denoted DEALi, consists 
of tuples in {1, . . . , n} X iV X {1, . . . , 71} X F. Intuitively, 
{j,c,l,x) G DEALi if i is expecting to receive a message 
broadcast by j (using RB) saying fi{j) = x as part of VSS 



session (c, Z). Both ACKi and DEALi are initially empty. 
We will explain how tuples are added to ACKi and DEALi 
when we describe the MW-SVSS protocol. 

Process i ignores (that is, saves but does not act on) all 
messages from process j that are part of a session {c',k) 
such that either {j,l,c,s) G ACKi and (c, i) — >i {c',k) or 
{j,c,l,s) G DEALi and {c,l) — > (c',fc). That is, newer mes- 
sages from j are ignored by i if i is expecting to receive 
something from j that it has not yet received. When a mes- 
sage that i expects to hear from j that is associated with 
either with {j,l,c,s) G ACKi or with {j,c,l,s) G DEALi, 
then the relevant tuple is removed from ACKi or DEALi. 
Once there are no messages that i expects to hear from j 
from a session that precedes {c',k), then the DMMi proto- 
col enables the MW-SVSS protocol to act on messages from 
session {c' ,k). 

Finally, process j is added to Di if a message is received 
from j that is inconsistent with what is expected according 
to a tuple in ACKi or DEALi. For example, if {j,l,c,s) G 
ACKi and i receives a message as part of session (c, i) from 
j saying fi{j) = s', with s' 7^ s, then j is added to Di, and 
messages sent by j in all sessions {c',k) such that (c, Z) — >i 
(c', k) will be discarded by i. 

3.2 Implementing MW-SVSS 

We now show how to implement MW-SVSS. We start 
with the share protocol S' . We assume that the field F being 
used is common knowledge and \F\ > n. In the S' protocol 
(and a number of our later protocols), we have variables that 
are tagged by the session id (c, d). If the session id is clear 
from context, we omit it. 

Share protocol S': 

1. If a dealer i wants to invoke S' with a secret s it 
first updates c to c -I- 1 and then selects n + 1 ran- 
dom degree-t polynomials f{x),fi{x),...,fn{x) over 
field F such that /(O) = s and /i(0) = f {l) for all 
I G {l,...,n}. It sends each process j a message 
f'^i.j); ■ • ■ 1 fn{j)j (c, i)- In addition, it sends each pro- 
cess I a message fi{l), . . . , fi{t + l),{c,i) (note that 
this allows I to compute so we sometimes say "Z 
receives /;" in this message), and sends the moderator 
yet another message, /(I), . . . , f{t + 1), (c, i) (so that 
the moderator can compute /). 

2. If process j receives values fi, ■ ■ ■ , fn and polynomial 
fj from a dealer i in session (c, i), then, for each process 
Z, j sends /;■', (c,i) to I. (Note that fl is supposed to 
be fk{j), but if the dealer is faulty, it may not be. 
We continue to use the notation / and f^ to denote 
the polynomials and values actually received.) It also 
broadcasts ack, (c, i) to all processes using RB. 

3. If process j receives fj,{c,i) and ack,{c,i) from pro- 
cess Z, receives fj,{c,i) from the dealer i, and fj = 
fj{l), it adds {l,c,i, fj{l)) to DEALj. Intuitively, the 
message /j — fj{l) provides confirmation to j that the 
dealer sent fi{j) to both j and Z. The fact that j adds 
{l,c,i,f]) to DEALj means that j expects Z to confirm 
publicly (using RB) that indeed it received f] from the 
dealer i, which is what Z told j privately. 

4. Let L,,(,,i) = {I : {l,c,i, fj(l)) G DEAL,}. If |L,| > 



n—t, then j sends Lj,{c, i) to all processes using RB, It 
also sends fj{0), {c,i) to the moderator. Intuitively, if 
\Lj I > n — t, then j has gotten as much confirmation as 
it can expect to get that the dealer i correctly shared 
the polynomial fj. By broadcasting Lj, it is broad- 
casting the set of processes from which it expects to 
hear public confirmation of this fact. By sending /j(0) 
to the moderator, j is giving the moderator a share of 
the information that the moderator needs for comput- 
ing the secret. 

5. If the moderator receives /, (c, i) from the dealer, /q , (c, i) 
and Lj,{c,i) from process j, and ack,{c,i) message 
from all processes I £ Lj, /q = f{j), and /(O) — s', 
the moderator adds j to the set M(^c,i), which is initial- 
ized to 0. Intuitively, if the values that the modera- 
tor receives from j are compatible with the values the 
moderator received from the dealer, and the dealer's 
values are compatible with the moderator's value s' , 
then the moderator adds j for the session (c, i) to M. 

6. If |M(c,i) I > n — t, the moderator sends M(^c,i) , (c, i) to 
all processes using RB. 

7. If the dealer i receives M, (c, i) from the moderator, re- 
ceives Lj, (c, i) from each process j £ M, and receives 
ack, {c,i) from each process I £ Lj such that j £ M, 
then it adds {l,j,c,fj{l)) to ACK^ for all j G M and 
I Lj, and sends OK, (c, i) using RB. Note that if the 
moderator is nonfaulty and it sends these messages 
to the dealer, then it really did receive Lj, {c,i) from 
each process j £ M and ack, {c,i) from each process I 
in Lj, and these messages were sent using RB. Thus, 
the dealer will eventually receive all these messages too 
and, if nonfaulty, will broadcast the OK message. 

8. If process j receives M, (c, i) from the moderator and 
j (f: M then j removes from DEAL^ all entries of the 
form {■,c,i,-) that are associated with session (c, i). 
Intuitively, since j ^ M for session (c, i), we do not 
care about the values of fj for this session. 

9. If process j receives an OK,{c,i) message from the 
dealer, M, (c, i) from the moderator, Li, (c, i) from each 
process I £ M, and ack, {c,i) from each k £ Li such 
that I £ M, it completes this invocation of the share 
protocol S' . 

Reconstruct protocol TZ': 

1. If process j £ Li for I £ M, then j broadcasts I, , (c, i) 
using RB, where /;■' is what j received from the dealer 
at step 2 of >S'. 

2. Process j initializes Kj^i^(^i.^i) to for each process / for 
which it has received a set Li. If j receives a message 
l,fi, {c,i) from process k at step 1, and k £ Li, then 
j adds (Z, f^) to Kj^i. Intuitively, (Z, fi) should be the 
point {k, fiik)) on the polynomial fk- 

3. li \Kj^i \ = t -\- 1, then j finds the unique degree t poly- 
nomial fi that interpolates the points in l-Zfj,;]. 

4. After computing /; for all Z £ M , j tries to interpolate 
a polynomial / such that /(Z) = /;(0) for all Z £ M. If 
/ exists, j outputs /(O); otherwise, j outputs -L. 



3.3 Implementing DMM 

We now describe the implementation of DMMi. 
Protocol DMMi 

1. Initialize an empty set of processes Di, an empty array 
ACKi consisting of tuples in {1, . . . , n} x {1, . . . , n} x 
IN xF, and an empty array DEAL; consisting of tuples 
in {1, . . . , n} X iV X {1, . . . ,n} x F. As we said earlier, 
intuitively, {j, l,c,x) £ ACKi if i is expecting to receive 
a broadcast sent by j using RB saying fi{j) = x as 
part of VSS session (c, i) and {j, c, I, x) £ DEALi if i 
is expecting to receive a message broadcast by j using 
RB saying fi{j) = x aa part of VSS session (c, Z). 

2. If (j, l,c,x) £ ACKi and a broadcast message x' ,j, (c, i) 
is received then 

• if a; = x' , then remove (j, I, c, x) from ACKi; 

• otherwise, add j to Di . 

(See line 7 of protocol S' for the condition that causes 
a tuple {j, I, c, a;) to be added to ACKi.) 

3. If {j, c, I, x) £ DEALi and a broadcast message x' , i, {c,j) 
is received, then 

• if X = a::' then remove {j, c, I, x) from DEALi; 

• otherwise, add j to Di. 

(See line 3 of protocol S' for the condition that causes 
a tuple {j, c, I, x) to be added to DEALi.) 

4. If a message sent from j is received and j £ Di, then 
discard the message. 

5. If a message with session identifier {c',i') sent from 
j ^ Di is received, then delay this message if there is 
a tuple {j,l,c,x) £ ACKi such that (c, i) ^i (c',i') or 
a tuple {j,c,l,x) £ DEALi such that (c, j) ^i {c',i'). 
If there is no such tuple in ACKi or DEALi (or after 
all such tuples have been removed), then forward the 
message to the VSS invocation of session (c',i'). 

We now show that the MW-SVSS protocol satisfies the 
MW-SVSS properties. To do this, we first must establish 
two key properties of the DMM protocol. 

Lemma 1. Ifiis nonfaulty, then DMMi satisfies the fol- 
lowing two properties: 

(a) if i £ Di, then j is a faulty process; 

(b) if j is nonfaulty, {j,l,c,x) £ ACKi (resp., {j,c,l,x) £ 
DEALi ), and all nonfaulty processes complete session 
(c, i) (resp. (c, Z) ), then eventually {j, I, c, x) is removed 
from ACKi (resp., {j,c,l,x) is removed from DEALi). 



Proof. For part (a), note that the only reason that i 
adds j to Di is if {j,l,c,x) £ ACKi (resp., {j,c,l,x) £ 
DEALi) and the DMM protocol detects that process j sent 
a message //,Z, (c, i) (resp., /f ,i, (c, Z)) using RB such that 
// 7^ X (resp., 7^ x). If j is nonfaulty then x — fi{j) 
(resp., X — fi(i)), hence i would not add j to Di if j is 
nonfaulty. 

Part (b) follows from the observation that if {j,l,c,x) £ 
ACKi or {j,c,l,x) £ DEALi, then the tuple was added 
during the share phase. If (j, I, c, x) £ ACKi and session 
(c, i) completed, then it must be the case that j £ Li and 
Z £ M(^c,i)- Since j is nonfaulty, then the message required 
to remove the tuple from ACKi will be sent using RB by 



j during the reconstruct phase, and will eventually be re- 
ceived by i. If {j,c,l,x) £ DEALi then there are two cases. 
If this entry was removed in line 8 of protocol S' , then we 
are done. Otherwise, since session (c, /) completed, it must 
be the case that j £ Li and i £ Af(c,i)- Hence the message 
required to remove the tuple from DEALi will be sent using 
RB by j during the reconstruct phase, and will eventually 
be received by i. □ 

We now prove that all the MW-SVSS properties hold. 

Lemma 2. The MW-SVSS protocol satisfies the 
MW-SVSS properties. 

Proof. We consider the properties in turn. 

Moderated Validity of Termination. If the dealer 
and the moderator are nonfaulty and s = s' then, for all 
nonfaulty processes j and I, eventually {j, c, i, f^) will be in 
DEAL;. Hence, eventually \Li\ will be at least n — t. Thus, 
eventually I will complete step 4 of the share protocol. (For 
future reference, note that although the first n — t elements 
of Li may not all be nonfaulty, at least t+l of the elements of 
Li will be nonfaulty.) Moreover, since j' G Li only if j' sent 
an ack, (c, i) message using RB, eventually the moderator 
will receive an ack, (c, i) message from all j £ Li. Thus, if 
I is nonfaulty, a nonfaulty moderator will eventually add / 
to M in step 5 of the share protocol. Since there are n — t 
nonfaulty processes, eventually we must have \M\ > n — t, 
so the moderator completes step 6 of the share protocol. We 
already gave the intuition that a nonfaulty dealer will then 
broadcast OK at step 7. Thus, all nonfaulty processes will 
eventually complete protocol S' . 

Termination. If a nonfaulty process j completes proto- 
col S' , then, since all the messages that caused j to complete 
the protocol are sent using RB, it follows that all nonfaulty 
processes eventually complete S' . The fact that they all 
complete TZ' follows since, as observed above, the set Li for 
each I £ M contains at least t-\- 1 nonfaulty processes, each 
of which eventually sends its value in step 1 of 72.'. Thus, 
each nonfaulty process outputs either some value in F or _L 
at step 3 of TZ' . 

Validity. Suppose that the dealer i is nonfaulty. There 
are two cases. If some faulty process j such that {j, I, c, x) £ 
ACKi sends a message x',l, {c,i) at step 1 of TZ' such that 
X ^ x' , then i did not ignore some message from j during 
session (c, i), {j,l,c,x) will never be removed from ACK^, 
and eventually j will be added to Di by line 2 in the DMMi 
protocol. Hence, j is shunned by i starting in session (c, i). 
Thus, if no process is shunned by i for the first time in (c, i), 
it must be the case that, for each process I £ M , all the 
values broadcast by processes in Li agree with Since 
there will eventually be at least t + 1 values broadcast from 
processes in Li, all nonfaulty processes will interpolate /; 
for all ^ £ M, and subsequently will interpolate / and the 
secret s. 

Weak and Moderated Binding. If the dealer is non- 
faulty, it follows from Validity that Weak Binding holds, 
taking r = s. So suppose that the dealer i is faulty. If there 
is a faulty process j such that (j, c,i,x) £ DEAL; for a non- 
faulty process I and j sends a message I, x' , (c, i) in step 1 of 
TZ' such that x ^ x' . In this case I did not ignore a message 
from j during session (c, i), (j, c, i, x) will never be removed 
from DEAL;, and eventually j will be added to Di by line 



3 in the DMM; protocol. Hence, j is shunned by I starting 
in session (c, i), so weak and moderated binding holds. On 
the other hand, if, for each nonfaulty process I £ M, all 
the values broadcast by processes in L; are what they were 
expected to be then, at the time that the first nonfaulty pro- 
cess completes protocol S' , the set M is fixed. Let H C M 
be the set of nonfaulty processes in M. For each I £ H, the 
value /;(0) is also fixed. If there exists a degree-t polyno- 
mial h that interpolates the points in {(^,/;(0)) | I £ M}, 
then let r = h{0); otherwise, let r = _L. We claim that each 
nonfaulty process will output either r or ± at the recon- 
struct phase. This is true since all nonfaulty processes will 
interpolate /; for all I £ M correctly. Since \H\> t -\- 1, the 
values {{l,fi{^)) I ^ € determine a polynomial h. If all 
remaining values /; (0) obtained from the polynomials /; for 

1 £ M \ H agree with h, then r is output; otherwise, _L is 
output. 

It easily follows from step 5 of S' that if the moderator 
is nonfaulty, then the values {{I, fiiQ)) \ I £ M} can be 
interpolated only by a polynomial h such that /i(0) is the 
moderator's value s'; that is, r = s' . 

Moderated Hiding. If the dealer and moderator are 
nonfaulty then, as long as no nonfaulty process has invoked 
protocol TZ, the combined view of any t faulty processes is 
distributed independently of the value of the shared secret, 
s. This follows since the dealer uses random degree-t poly- 
nomials, so no set of size t learns any information. □ 

As promised, we now show that it is possible that two non- 
faulty processes will complete an invocation of MW-SVSS 
with different values without detecting a new faulty process. 

Example 1. Let ri — 4 and t = 1. Consider an invoca- 
tion of the MW-SVSS protocol with processes 1, 2, 3, and 4, 
where 2 is the dealer and 1 is the moderator. Suppose that, in 
the share protocol S' , process 4 is delayed. Hence, processes 
1, 2, and 3 hear only from each other before completing the 
share protocol. Thus, Li = L2 = L3 = M = {1,2,3}. Now 
suppose that in the reconstruct protocol TZ' , process 3 hears 
the values sent by 2 according to line 1 ofTZ' before hearing 
from 1 or 4. Since it clearly hears from itself as well, Ks^i, 
Ki^2, and -K'3,3 will each have two points — one from 2 and 
one from 3. Since t -\- 1 — 2 in this case, it follows from 
step 3 that 3 will then find the unique degree 1 polynomials 
fi, /2, and /a that interpolate the points in ifs,!, -R'3,2, and 
Ki,s,, respectively. If fi{0), /2(0), and fi{Q) are collinear, 
and f is the polynomial that interpolates them, then 3 out- 
puts /(O). If 2 IS faulty, then by choosing the values it sends 
appropriately, 2 can make /(O) an arbitrary element of F. 
Now if 1 hears from 3 before hearing from 2 or A, 1 will also 
output a value, which may be different from 3 's. 

Of course, to get 3 to output a value different from 1 's, 2 
must send a value fi that is different from the one that 1 
expects to hear. Once 1 gets this value, it will realize that 

2 is faulty, and add 2 to its set Di. However, this may 
happen after both 2 and 3 have completed the invocation of 
MW-SVSS. Notice that this argument relies on the fact that 
processes use RB to send their values. □ 

4. IMPLEMENTING SVSS 

In this section, we show how to implement SVSS, and then 
prove that our implementation satisfies the SVSS properties. 
The difficulties of doing this are illustrated by Example 1: 



it is possible that two nonfaulty processes output different 
values in an invocation (c, i) of the MW-SVSS protocol. Of 
course, by the Weak Binding property, this can happen only 
if a new faulty process is eventually detected (and is shunned 
in all invocations that follow {c,i)). Nevertheless, this de- 
tection can come after all processes have completed (c, i). 
Thus, we must show that the inconsistency cannot cause 
problems. 

Share protocol S: 

1. If a dealer i wants to invoke <S with a secret s, it first 
updates c to c + 1, initializes sets of processes G(c,i) 
and Gj^i^ci), j 7^ i, to and chooses a random degree-t 
bivariate polynomial f{x, y) over the field F such that 
/(0,0) = Let gj{y) = f{j,y) and let hj{x) = f{x,j), 
for j = 1, . . . ,n. Dealer i sends each process j the 
message gj(l), . . . ,gj{t + 1), hj{l), . . . , hj{t + l),(c,i) 
(so j can reconstruct gj and hj). 

2. If a process j receives gj and hj from dealer i for a 
session (c, i), then for each process I 7^ j, process j 
participates in four invocations of MW-SVSS protocol 
S': 

(a) as a dealer with secret f{l,j) and moderator / 
(who should also have value f{l,j) if i and I are 
nonfaulty) ; 

(b) as a dealer with secret f{j,l) and moderator / 
(who should also have value f{j,l) if i and / are 
nonfaulty) ; 

(c) as a moderator with secret f{l,j) and dealer / 
(who should also have value f{l,j) if i and I are 
nonfaulty); and 

(d) as a moderator with secret f{j,l) and dealer / 
(who should also have value f{j,l) if i and / are 
nonfaulty). 

3. The dealer i adds j to the set Gi^(^c,i) and I to the set 
Gj^(c,i) if the dealer completes all four invocations of 
the share part of MW-SVSS 5' with j and / playing 
the roles of dealer and moderator. 

4. The dealer i adds j to the set G^c.i) if \Gj,(c,i) \>'n — t. 

5. If |G(c,i) I > n — the dealer sends G(c,i) , {Gj.(c,i) | jG 
G}, (c, i) using RB. 

6. When process / receives G, {Gj | j G G},(c, i) from 
the dealer and completes all four S' protocols for each 
pair j, I such that j £ G and I £ Gj, then it completes 
this invocation of 5. 

Reconstruct protocol TZ: 

1. Each process j initializes the set Ij,(c.i) to and in- 
vokes the reconstruct protocol TZ' for each of the four 
invocations of MW-SVSS for each pair (fe, I) such that 
k £ Gi^ci) and / G Gi^^(^c,i)- After the four reconstruct 
protocols associated with k and I are complete, j sets 

^Specifically, since a bivariate polynomial of degree t has the 
form X^'^Q X^j=o '^'j^^V'' y simply set aoo = s and choose 
the remaining coefficients at random from F. Of course, the 
same ideas apply to choosing a random univariate polyno- 
mial / such that /(O) = s. 



r-' , , , to the reconstructed output value for the en- 
try f{k,l) where x was the dealer in the MW-SVSS 
protocol (so that x is either k or I). 

2. For each k £ G, process j adds k to Ij^(c.i) if 

• there exists / £ Gk such that Vkki or Vkik are _L; 
or 

• there do not exist degree-f polynomials that inter- 
polate {{l,riJ : I £ Gk} or {(l,riJ : I £ Gk}. 

Intuitively, Ij,(c,i) consists of those processes that j 
ignores in invocation (c, i). 

3. For each k £ G \ Ij , process j computes the degree-t 
polynomials gk and hk that interpolate {{l,rlki) • I G 
Gk} and {{I, rlii^) : I £ Gk}- If there exist k,l £ G\Ij 
such that hk{l) 7^ gi{k), then j outputs ±. Otherwise, 
if there is a unique degree-t bivariate polynomial / 
such that for all k,l £ G\Ij, f{k,l) = gk{l) = hi{k), 
then j outputs /(0,0); otherwise, j outputs ±. 

This completes the description of the SVSS protocol. 

Lemma 3. The SVSS protocol satisfies the SVSS proper- 
ties. 

Proof. For any SVSS session (c, i), if k,j are nonfaulty 
processes, then all messages sent from k to j will eventually 
not be ignored. This is true since, if {c',i') — »j (c, i), then 
j completed all TZ' invocations associated with (c, i). From 
the way we use MW-SVSS in TZ, all processes will also invoke 
all TZ' sessions associated with (c, i). Hence from the Termi- 
nation property of MW-SVSS and Lemma 1, it follows that 
all messages that j expects k to send in session {c',i') will 
eventually be received. We now go through SVSS properties 
in turn. 

Validity of Termination. If the dealer is nonfaulty, 
then for any two nonfaulty processes k and I, eventually all 
four invocations of S' will complete. So eventually the set 
Gi will be of size at least n — t for each nonfaulty I, the set G 
will eventually contain at least n — t elements, and all four 
S' invocations for each j £ G and I £ Gj will complete. By 
the properties of RB, all processes will eventually receive the 
sets G and {Gj : j £ G} and, by the Termination property 
of MW-SVSS, for each j G G and I £ Gj, all processes will 
eventually complete all four invocations of S' . Hence, all 
nonfaulty processes will complete protocol <S. 

Termination. If a nonfaulty process completes proto- 
col S, then it follows from the Termination property of the 
MW-SVSS protocol and the Reliable Broadcast properties 
that all nonfaulty processes complete S. The fact that they 
all complete TZ follows from the Termination property of the 
MW-SVSS protocol. 

Validity. Suppose that the dealer i is nonfaulty in an 
invocation of S with session id (c, i). There are two cases. If 
a faulty process j is first shunned by a nonfaulty process I in 
some MW-SVSS invocation with session {c ,i') that is part 
of the SVSS invocation with session id (c, i), then, because 
/ started (c, i) before starting {c',i') and I completes {c',i') 
before completing (c, i), j is also first shunned by I starting in 
session (c, i) of SVSS. On the other hand, if no faulty process 
is shunned starting in session (c, i), then all invocations of 
MW-SVSS must satisfy the first clause of the Validity and 



Weak and Moderated Binding properties. It follows from 
(the first clause of) the Validity property that if fc £ G(c,i) 
is nonfaulty, then for all I £ Gk, it must be the case that 
'"fcfci ~ fi^' ^iid ''feife ~ /(^' ^) (since k acts as the dealer 
in computing these values, / acts as the moderator and the 
values themselves are correct, since they were received from 
i). Thus, it follows that k ^ Ij,{c,i)- Similarly, it follows 
from (the first clause of) the Weak and Moderated Binding 
property that, for all fc £ G and / £ Gk, if either / or k 
are nonfaulty, then it must be the case that rj';^ and r^,^, are 
each either /(/, k) or ±, and that r^^.^ and r^^.^ are each either 
f{k, I) or _L. (Here we use the fact that the nonfaulty process 
— either k or / — is acting as either dealer or moderator in 
the invocations of MW-SVSS during which these values are 
computed.) Thus, even if / is faulty, if I ^ Ij, then we must 
have hk{l) = gi{k) for all nonfaulty k £ G. It follows that, 
in step 3 of TZ, j correctly reconstructs hi and gi for all 
I £ G \ Ij. Thus, the polynomial / computed by j will be 
/, and j will output /(O, 0). 

Binding. If the dealer is nonfaulty, it follows from Valid- 
ity that Binding holds, taking r = s. If the dealer is faulty, 
there are again two cases. If a faulty process j is shunned 
by a nonfaulty process I in some MW-SVSS invocation with 
session (c',i) that is part of the SVSS invocation session 
(c, i), then, as argued in the proof of Validity, j is also first 
shunned by / in invocation (c, i). On the other hand, if no 
faulty process is shunned starting in session (c, i), then all 
invocations of MW-SVSS must satisfy the first clause of the 
Validity and Moderated Weak Binding properties. Consider 
the time that the first nonfaulty process completes protocol 
S. At this time, the set G is fixed. Let H be the set of 
nonfaulty processes in G. Since \G\ > n — t, we must have 
that \H\ > t+1. If there is a unique degree-t bivariate poly- 
nomial f{x,y) induced by the entries rjji,rjij for all j £ H 
and I £ Gj, then set r = /(O, 0); otherwise, set r = _L. 

We claim that each nonfaulty process will output r at the 
reconstruct phase. As in the proof of the Validity property 
for SVSS, it follows from (the first clause of) the Validity 
property for MW-SVSS that if fc £ G(c,i) is nonfaulty, then 
for all nonfaulty I £ Gk, we have that r^j^i — gk{l) and 
'''ilk ~ ^k{l), where gk and hk are the polynomials sent by i 
to k. Thus, k ^ Ij^{^c^iy Hence, if r = ±, then all nonfaulty 
processes will output _L. Moreover, if r 7^ ±, then, as in 
the proof of Validity for SVSS, by the Weak and Moderated 
Binding property, and from the fact that \H\ > t + 1, for all 
Z £ G \ 7j, it must be the case that gi and hi agree with /. 
Therefore j will interpolate / and output r. 

Hiding. If the dealer is nonfaulty and no nonfaulty pro- 
cess has invoked protocol TZ, then the combined view of any 
t processes is distributed independently of the dealer's value 
s, because every polynomial hj and gj has degree t, and no 
process learns more than t values of these polynomials. □ 

This completes the construction of the SVSS protocol. We 
now briefiy sketch how, using ideas from Canetti and Rabin 
[4] , we can use SVSS to construct the required asynchronous 
Byzantine agreement protocol. 

5. FROM SVSS TO BYZANTINE 
AGREEMENT 

Once we have SVSS, we can get an almost-surely termi- 
nating polynomial protocol for Byzantine agreement with 



optimal resilience, following the ideas outlined in Canetti's 
[6] thesis. We proceed in two steps. The first step is to 
get a common coin. Canetti and Rabin showed that, given 
e > 0, an AVSS protocol that terminates with probability 

I — e could be used to construct a protocol CC that gives a 
common coin and terminates with probability 1 — e. We use 
SVSS to get a shunning Common Coin (SCC) protocol. 

Definition 2 (SCC). Let n be a protocol where each 
party has a random input and a binary output. As in SVSS, 
we tag each invocation of tt with a unique session identi- 
fier c. We say that n is a shunning, terminating, t-resilient 
Common Coin protocol (SCC protocol) if the following prop- 
erties, called the SCC properties, hold (in runs with at most 
t faulty processes in some session tagged c ): 

1. Termination. All nonfaulty processes terminate. 

2. Correctness. For every invocation either 

• for each a £ {0, 1}, with probability at least 1/4, 
all nonfaulty processes output a; or 

• there exists a nonfaulty process i and a faulty pro- 
cess j such that j is shunned by i starting in ses- 
sion c. 

Lemma 4. For n > 3t there exists a shunning, terminat- 
ing, t-resilient Common Coin protocol. 

Proof. The protocol to implement SCC is exactly the 
protocol in Figure 5-9 in [6], except that we replace the 
AVSS protocol with our SVSS. The proof that this proto- 
col satisfies the SCC properties follows from Lemmas 5.27- 
5.31 in [6], together with the observation that if a process 
is shunned starting at a SVSS invocation whose reconstruct 
protocol competes before the SCC protocol invocation com- 
pletes, then this process is shunned starting at this SCC 
protocol invocation. □ 

The second step is to use the common coin protocol to 
get the Byzantine agreement protocol. Canetti and Rabin 
use their common coin protocol CC that terminates with 
probability 1 — e to get a Byzantine agreement protocol that 
terminates with probability 1 — e. We replace the use of 
CC by SCC to get an ahnost-surely terminating protocol. 
The key observation is that in the protocol of Figure 5- 

II in [6], if a nonfaulty process j participates in rounds r 
and r' (and hence, in our setting, it participles in the SCC 
protocol with session identifiers r and r'), and r < r' , then 
it must be the case that r r' . Therefore, there can 
be at most t{n — t) = O(n^) rounds r such that a nonfaulty 
process i shuns a faulty process j starting in round r. Hence, 
there are at most 0{n^) rounds where the SCC protocol does 
not succeed. In all the remaining rounds, the first clause 
of the SCC Correctness property holds, so we essentially 
have a common coin that is sufficiently strong for Byzantine 
agreement. It therefore follows from Lemma 5.38 and 5.29 of 
[6] that the expected running time of the protocol is O(n^). 
Thus we have the following result. 

Theorem 1 (Byzantine Agreement). There is an almost- 
surly terminating, polynomial protocol for asynchronous Byzan- 
tine agreement protocol with optimal resilience. 



6. CONCLUSIONS 

We have shown how to use SVSS to give a protocol for 
asynchronous Byzantine agreement that has optimal resilience, 
almost-surely terminates, and is polynomially efficient. Our 
SVSS protocol has implications for asynchronous Secure Mul- 
tiparty Computation (ASMPC) of certain functionalities. In 
the full paper we define a family of functionalities for which 
the use of SVSS gives a protocol for ASMPC that has op- 
timal resilience, terminates almost surely, and has perfect 
security (the ideal and real worlds are statistically indistin- 
guishable). Perhaps the major open question remaining is 
whether there exists an asynchronous Byzantine agreement 
protocol with optimal resilience and constant expected run- 
ning time. 

APPENDIX 

A. BASIC TOOLS 

A.l Weak Reliable Broadcast 

A protocol B with a distinguished dealer holding input s is 
a f-tolerant Weak Reliable Broadcast protocol if the following 
holds for every execution with at most t faulty processes: 

1. Weak termination. If the dealer is nonfaulty, then 
every nonfaulty process will eventually complete pro- 
tocol B. 

2. Correctness. 

(a) if a nonfaulty process completes protocol B, then 
once the first nonfaulty process completes the pro- 
tocol there is a value r such that each nonfaulty 
process that completes protocol B accepts r; 

(b) if the dealer is nonfaulty, then each nonfaulty pro- 
cess that completes protocol B accepts s. 

Lemma 5. For n > 3t there exists a t-tolerant Weak Re- 
liable Broadcast protocol. 

Proof. This protocol, which we call WRB, is essentially 
Dolev's [8] crusader agreement. It uses two types of mes- 
sages; type 1 messages have the form (r, 1) and type 2 mes- 
sages have the form (r, 2). WRB proceeds as follows: 

1. The dealer sends (s, 1) to all processes. 

2. If process i receives a type 1 message (r, 1) from the 
dealer and it never sent a type 2 message, then process 
i sends (r, 2) to all processes. 

3. If process i receives n—t distinct type 2 messages (r, 2), 
all with value r, then it accepts the value r. 

If the dealer is nonfaulty, then it is immediate that every 
nonfaulty process will send (s,2), and thus will accept s 
(since there are at most t faulty processes, by assumption). 
Moreover, if the dealer is nonfaulty, the only type 2 message 
sent by a nonfaulty process is (s, 2), so no nonfaulty process 
will receive more than t type 2 messages (r, 2) with r 7^ s? 

^ We assume that, as in VSS, if there are multiple invocations 
of WRB, messages are tagged with an invocation number, 
so that messages from old invocations will not be confused 
with messages from the current invocation. 



To see that WRB satisfies the correctness property, sup- 
pose, by way of contradiction, that one nonfaulty process i 
accepts r and another nonfaulty process j accepts r', with 
r ^ r' . Then i must have received n — t type 2 messages 
with value r and j must have received n — t type 2 messages 
with value r' . Thus, at least n — 2t >t + 1 processes must 
have sent a type 2 message to both i and j. At least one of 
these processes must be nonfaulty. But the protocol ensures 
that a nonfaulty process will send only one type 2 message. 
This gives us the desired contradiction. □ 

A.l Reliable Broadcast 

A protocol B with a distinguished dealer holding input s is 
a f-tolerant Reliable Broadcast protocol if the weak termina- 
tion and correctness properties of the Weak Reliable Broad- 
cast holds, and in addition, the following property holds: 

3. Termination. For every execution with at most t 
faulty processes, if some nonfaulty process completes 
protocol B then all nonfaulty processes will eventually 
complete protocol B. 

Lemma 6. For n > 3t there exists a t-tolerant Reliable 
Broadcast (RB) protocol. 

Proof. This protocol, which we call RB, is essentially 
Bracha's echo broadcast. It uses WRB as a subroutine. In 
addition to type 1 and type 2 messages, it uses type 3 mes- 
sages, which have the form (r, 3). RB proceeds as follows: 

1. The dealer sends (s, 1) to all processes using Weak Re- 
hable Broadcast (WRB). 

2. If process i accepts message r from the dealer using 
WRB, then process i sends (r, 3) to all processes. 

3. if process i receives at least t -\- 1 distinct type 3 mes- 
sages with the same value r, then process i sends (r, 3) 
to all processes. 

4. if process i receives at least n — t distinct type 3 mes- 
sages with the same value r, then it accepts the value 
r. 

To see that RB is correct, first observe that, from the cor- 
rectness property of WRB, it follows that it cannot be the 
case that two type 3 message with different values are sent 
by nonfaulty processes at step 2. Moreover, if a nonfaulty 
process sends a type 3 message at step 3, it must be be- 
cause it got a type 3 message from a nonfaulty process. It 
easily follows that all the type 3 messages sent by nonfaulty 
processes at either step 2 or step 3 have the same value. 

If the dealer is nonfaulty, then it is easy to see that all non- 
faulty processes terminate and accept value s, as in WRB. 
To see that termination holds for RB, suppose that a non- 
faulty process completes the protocol. It thus must have 
received n — t type 3 messages with the same value r. Each 
other nonfaulty process will eventually have received at least 
n — 2t > t -\- 1 oi these messages, and so will send a type 3 
message by step 3, if it has not already done so by step 2. As 
we argued above, all the type 3 messages sent by nonfaulty 
processes must have the same value. Thus, each nonfaulty 
process will end up receiving n — t type 3 messages with 
value r. 

Finally, part (b) of correctness follows easily from our ob- 
servation above that all the type 3 messages sent by non- 
faulty processes have the same value r. □ 
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